---
title: Static Credentials
description: Set up GCP static credentials for Terrateam - the easiest way to get started
---

import { Steps } from '@astrojs/starlight/components';
import { Card } from '@astrojs/starlight/components';

<Card title="Quick Start" icon="rocket">
Static credentials are the fastest way to get Terrateam working with GCP. You'll create a GCP service account with programmatic access and store the credentials as GitHub secrets.
</Card>

## Setup Steps

<Steps>

1. ### Create a Service Account

   Create a dedicated service account for Terrateam in your GCP project:

   ```sh
   gcloud iam service-accounts create terrateam \
   --description="Terrateam service account" \
   --display-name="Terrateam" \
   --project="$PROJECT_ID"
   ```

   :::note[Set PROJECT_ID]
   Make sure to set your `PROJECT_ID` environment variable:
   ```sh
   export PROJECT_ID="your-gcp-project-id"
   ```
   :::

2. ### Attach IAM Role

   Attach an IAM role to give Terrateam the necessary permissions. We suggest `roles/editor` as a starting point:

   ```sh
   gcloud projects add-iam-policy-binding "$PROJECT_ID" \
   --member="serviceAccount:terrateam@$PROJECT_ID.iam.gserviceaccount.com" \
   --role="roles/editor"
   ```

   :::note[Choose Your Role]
   `roles/editor` is just a suggestion for getting started quickly. You should choose the role that best fits your security requirements:
   - **roles/editor** - Broad permissions, good for testing and development
   - **Custom roles** - More restrictive, recommended for production environments
   - **Other predefined roles** - Choose based on your specific needs
   :::

3. ### Create Service Account Key

   Generate a service account key file:

   ```sh
   gcloud iam service-accounts keys create terrateam-service-account-key.json \
   --iam-account="terrateam@$PROJECT_ID.iam.gserviceaccount.com"
   ```

   :::caution[Save Your Key File]
   The `terrateam-service-account-key.json` file contains sensitive credentials. Keep it secure and don't commit it to version control.
   :::

4. ### Set GitHub Secret

   Add the GCP service account key as a secret to your GitHub repository:

   ```sh
   # Set your repository (replace with your actual org/repo)
   export REPO="your-org/your-repo"

   # Create the Google Credentials secret from the key file
   gh secret --repo "$REPO" set GOOGLE_CREDENTIALS < terrateam-service-account-key.json
   ```

   :::tip[Clean Up]
   After setting the GitHub secret, you can safely delete the local key file:
   ```sh
   rm terrateam-service-account-key.json
   ```
   :::

</Steps>

## Security Considerations

:::caution[Security Best Practices]
While static credentials are the easiest way to get started, consider these security practices:

- **Use least privilege**: Only grant the minimum roles Terrateam needs
- **Rotate keys regularly**: Create new service account keys periodically and delete old ones
- **Monitor usage**: Use GCP's Cloud Audit Logs to monitor Terrateam's activities
- **Consider OIDC for production**: For production environments, [OIDC setup](./oidc-setup) provides better security
:::

## Next Steps

Now that you have GCP authentication configured, you are now able to use Terrateam for plan and apply operations against GCP resources.

- Read about [Terrateam configuration](/getting-started/configuration) to customize your workflows
- Learn about [advanced workflows](/advanced-workflows/) for more complex setups
- Consider migrating to [OIDC authentication](./oidc-setup) for enhanced security
